Steve,
We have the same problem with the web interface, from what I can tell you must
either sync accounts, delegate account passwords with RADIUS (which works for
the web interface but not kerberos) and/or use service accounts.

Advertising

Our systems use kickstart and auto-join ipa on deployment with a service
account, which may work for your needs, there's also an ansible module you
could use with a ansble-vaulted ipa-join service account.
Thanks,
-Jake
From: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
To: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
Cc: "Steve Weeks" <nbxst...@gmail.com>
Sent: Friday, July 28, 2017 12:46:02 PM
Subject: [Freeipa-users]ipa-client-install using AD/ad_admin credentials
We want to let AD admins install new linux FreeIPA clients using their AD
credentials. It looks like if fails using kinit in the script. If you run kinit
'AD\ad_admin' you get the same error.
Is it feasible to do what we want? Does it make sense? We already have a system
for managing the sysadmins in AD and don't really want to setup double accounts
for them. (We have lots of sysadmins).
Thanks,
Steve
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org